|
On Wed, 23 Nov 2005, Graeme Fowler wrote:
> On Tue 22 Nov 2005 21:05:58 GMT , Mark de Vries
> <markdv.lvsuser@xxxxxxxxxx> wrote:
> > Hmmm... maybee.... Does 'masquarade' ineroperate with ip_vs? Or should I
> > use SNAT on the loadbalancer?? I'll give it a go tomorrow but if anyone
> > knows the anser please let me know.
>
> aha!
>
> Yes, netfilter/iptables does interact with LVS.
>
> Under LVS-NAT you need to make sure that the traffic exiting the
> director on the client side is what the client expects. That means SNAT
> (or masquerade).
>
> I have a bunch of servers behind a pair of active/passive directors on
> a private LAN. The public face of the directors is just that, facing
> the internet. I have a bunch of rules on the director in the "nat"
> netfilter table to ensure that connections being initiated inside the
> network are SNATted to the appropriate VIP address outside, and this
> makes the LVS-NAT FTP work for both active and passive.
>
> It's been like that for so long I had to go back and review the config
> to see why it worked :)
>
> In your case you probably need something on the director to say:
>
> iptables -t nat -I POSTROUTING -s $RIP/32 -j SNAT --to-source $VIP
>
> for each of your RIP/VIP sets.
Ahh.. ok, sounds like that should work. I thought ip_vs would/should thake
care of SNATting the data connection too as it does the inbound
connection.
OK. I'll give this a try. Thnx!
Grds,
Mark.
|
